package com.kqzz.tbxt.config;

import com.kqzz.common.exception.AuthExceptionEntryPoint;
import com.kqzz.common.exception.CustomAccessDeniedHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;

/**
 * 资源服务配置
 * @ EnableResourceServer 启用资源服务
 * @ EnableWebSecurity 启用web安全
 * @ EnableGlobalMethodSecurity 启用全局方法安全注解，就可以在方法上使用注解来对请求进行过滤
 */
@Configuration
@EnableResourceServer
@EnableWebSecurity
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

	@Value("${spring.application.name}")
    private String applicationName;

	@Value("${security.oauth2.authorization.check-token-access}")
	private String checkTokenUrl;

	@Value("${security.oauth2.client.client-id}")
	private String clientId;

	@Value("${security.oauth2.client.client-secret}")
	private String clientSecret;

	@Autowired
	private CustomAccessDeniedHandler customAccessDeniedHandler;

	@Autowired
	private AuthExceptionEntryPoint authExceptionEntryPoint;

	@Bean
    public ResourceServerTokenServices tokenServices() {
        RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
        remoteTokenServices.setCheckTokenEndpointUrl(checkTokenUrl);
        remoteTokenServices.setClientId(clientId);
        remoteTokenServices.setClientSecret(clientSecret);
        remoteTokenServices.setAccessTokenConverter(accessTokenConverter());
        return remoteTokenServices;
    }

	@Bean
    public AccessTokenConverter accessTokenConverter() {
        return new DefaultAccessTokenConverter();
    }

	@Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().exceptionHandling()
                .authenticationEntryPoint(authExceptionEntryPoint)
                .and()
                .authorizeRequests()
                .antMatchers("/actuator/**","/webjars/**","/resources/**",
        				"/v2/api-docs", "/swagger-resources/configuration/ui",
        				"/swagger-resources","/swagger-resources/configuration/security",
        				"/doc.html","/css/**", "/js/**","/images/**","/affixfiles/**","/file/**","/file/**","/manage/**","/queryDicRoot/**","/tb/**","/user/**", "/tenant/**", "/tenant/server-address/**").permitAll()//,
                .antMatchers("/actuator/**","/webjars/**","/swagger/**","/swagger-ui.html","/swagger-resources/**","/v2/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic();
        // api摘要签名校验过滤器
//        http.addFilterAfter(new ApiSignCheckFilter(), HeaderWriterFilter.class);
    }

	@Override
	public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
//	    resources.tokenExtractor(customTokenExtractor);
	    resources.resourceId(applicationName).authenticationEntryPoint(authExceptionEntryPoint)
	            .accessDeniedHandler(customAccessDeniedHandler);
	}
}
